I have configured my GL.iNet router with the LuCI firewall, dividing the network into two zones:
Zone 1 (HomeLAN) and Zone 2 (Entertainment). Currently, Zone 1 has access to Zone 2, while Zone 2 does not have access to Zone 1. Both zones maintain internet connectivity.
I would like to implement a specific exception that allows a single device in Zone 2, identified by its MAC address, to access a designated device in Zone 1, also identified by its MAC address, while preserving all existing access restrictions.
Is there an available guide that outlines the steps to configure this using SSH command line or within the LuCI Firewall (Traffic Rules) interface?
So if device X wants to talk from zone A to zone B you can do this:
src: A (where device X is in)
source mac: mac of device X, can be found under the advanced settings)
dest: the destination zone B
action/target: ACCEPT
If you want to make it only talk to one specific device on network B you also specify a destination ip
In uci you can reflect upon this with uci show firewall.
it should be something like this:
uci add firewall rule
uci set firewall.@rule[-1].name='your rule name'
uci set firewall.@rule[-1].src='A'
uci set firewall.@rule[-1].src_mac='xx:xx:xx'
uci set firewall.@rule[-1].dest='B'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
/etc/init.d/firewall restart
Also there is no dest_mac, because firewalls are not aware of layer2 see:
So you could try using the direct ip (from zone B) as destination or if you really have no other option left the more cumbersome option:
create a traffic rule for device Z in zone B like this:
name: mark-device-z
src: B
dest: wan,or wgclient
src_mac: deviceZ you want to track
use ipset: devicez (in advanced tab)
target/action: accept
next to the traffic rules tab you should also have a ipset tab create the ipset like so:
name: devicez
packet field match: src_ip
max entries: 1 (can also leave it empty)
counters: checked
Then restart the firewall, in the cli confirm if the ipset exists and populates as soon device Z communicates with wan or wgclient with:
nft list sets
then based on this populated ipset you can create the same traffic rule as previous post per as zone A to zone B, with the exception that you specify the ipset there aswell but under match ipset.
The only issue with this approach is when the ipset is not populated yet the device is not reachable yet.
but that is how I would work around it if there was no other option, usually I just choose dest_ip and fully trust into static mac dhcp reservation.
Edit:
I haven't fully tested this out, it is possible it will not be possible, since I couldn't figure out how to match the ipset on the second rule, but I vaguely remember someone just writing down the ipset as destination ip, just try if that is valid even try hardcoded hence if luci complaints, if it works it will translate it on the final rule, if not then test the firewall if it is not open to everyone because a corrupt firewall can do that👍
